Verication of Embedded Systems Using Synchronous Observers Martin Westhead1 and Simin Nadjm-Tehrani2 1 martinwe@aifh.ed.ac.uk, Dept. of Articial Intelligence, University of Edinburgh, 5 Forrest Hill,Edinburgh, U.K. 2 simin@ida.liu.se, Dept. of Computer Information Science, Linkoping University S-581 83 Linkoping, Sweden Abstract. This paper is a study of observer-based proof techniques ap- plied to the verication of a model of a real world embedded system, an aircraft landing gear. We present a formal description of these techniques (taken from [5]) and look at three ways of applying them, comparing verication of the composed system with two approaches to decompositional verication. The example illustrates that due to the tight interaction in a plant-controller setting there is often little to be gained by adopting a decompositional approach to verication. Nonetheless, two reasons are presented for separation between the controller and its environment at the modelling stage. Hence the result of the study is that in cases similar to this one, it is most expedient to prove system properties using the composed model derived from individual parts. 1 Introduction A major application area for automatic verication is embedded systems where software controllers interact with a physical environment. Verifying safety and timeliness properties for such systems has recently attracted a lot of attention in the context of hybrid systems { where models with both continuous and discrete elements are subject to study[4]. In this paper we explore an alternative methodology, namely analysis of real-time control programs in combination with discrete abstractions of their environment (the plant). As a formalism for this investigation we have chosen an abstraction of a synchronous program, a synchronous Input/Output (I/O) machine, as dened by Halbwachs et.al. [5]. This formalism is typically used to provide the formal semantics for programming languages such as Esterel and for dening the criteria for accepting well-behaved programs. Here we use the formalism for modelling embedded systems; this gives us the possibility of using the associated verication technology in our case study. This approach has obvious benets. First, we use the Esterel development environment and verication techniques for proving properties which can not be proved using the model of the control program alone. These are properties which depend on the tight interaction between the plant and the controller. Secondly, once the composed model of the embedded system has been proved to have its desired properties the conversion of the realtime program to C code (or a circuit) is a matter of routine translation provided within the Esterel environment. Thus, existing and well-understood verication techniques for discrete models can be applied in a new setting. The price to pay is the derivation of explicit models for the environment. In this paper we argue that this is a viable undertaking. The plant model we use is based on the physically grounded models derived elsewhere[10]. It can also be seen as the discrete structure extracted from a hybrid model based on Delta IO machines currently under development [12]. The verication technique we employ is the observer-based method given by Halbwachs et.al. [5], where a safety property of an I/O machine M is dened in terms of another machine called a synchronous observer. The observer watches the inputs and outputs of M , and if they ever violate the safety property it emits an alarm signal. A restriction of the method is that only safety properties are expressible. The observer-based technique can also be applied in a decompositional3 way which has been suggested elsewhere as a means for reducing complexity of proofs [1, 7, 3, 2]. Supposing we have a system of two components, and some overall property we wish to prove that the system satises. Instead of composing the system and verifying the property directly, we wish to carry out a smaller proof step involving an intermediate property on each of the components. Unfortunately it is not always clear how to obtain this intermediate property nor for that matter whether these new proofs will be easier. In this paper we study this problem in the context of a an aircraft landing gear controller adopted from a real-world application[10]. The method is interesting to study since for our class of embedded systems there is an obvious (plant-controller) breakdown of the components. Thus, we study whether this particular decomposition pays o during verication. The example illustrates the use of an explicit model of the environment for proving safety properties which depend on the correct interaction between the plant and the controller. The plant model can be used in a one shot compositional verication of the embedded system, or alternatively for deriving the weakest observer leading to proofs of safety property in a decompositional framework. In the paper we explain, again in the context of this example, why both of these approaches are more appropriate than decompositional verication using ad hoc intermediate properties. In the next section we present the formal denition of an observer with other denitions required for the rest of the paper. Section 3 describes a model of the aircraft landing gear in terms of synchronous I/O machines, and compares dierent proofs of a safety property. Finally in section 4 we return to the theory, and consider how the automatic synthesis of an intermediate property can be carried out. Earlier applications of the automata approach within control systems can be found in [11]. A more recent use of the observer based methodology within 3 Note that the term `compositional verication' is sometimes used for the approach we denote by decompositional in this paper. We shall use the term compositional verication when we refer to a one shot verication of a composed system. telecommunication is reported in [6]. 2 Preliminaries In this section we present some basic notions adopted from the work of Halbwachs et.al. which are used in the rest of the paper. Central to the modelling approach that we adopt is the concept of non-symmetric communication. This is dierent from the communication mechanism in e.g. process algebras [8] in that it allows an observer to observe the behaviour of a system without modifying it. Another model with a similar property is dynamic transition systems [9] which uses changes in the value of state variables for representing dynamic behaviour. In this paper we use the syntax of signal (event) based I/O machines { the prime motivation being the use of existing automatic verication tools, Mauto and Autograph for the synchronous language Esterel (which can be compiled to I/O machines). 2.1 Basic Denitions Denition 1. Let S be a set of signals, and Es == 2S be the set of events on S . An I/O machine M is a 5-tuple (QM ; q0M ; IM ; OM ; M ) such that { QM is the set of states containing q0M , the initial state { IM S; OM S are the disjoint sets of input and output signals respectively { M QM EIM EOM QM is the transition relation. We require our specied systems to be reactive, i.e. 8q 2 QM ; 8i IM ; i 6= ; ) 9(o; q0 ) such that (q; i; o; q0 ) 2 M Such an I/O machine in response to a sequence (i1 ; i2 ; : : : ; in ; : : :) of input events returns a sequence (o1 ; o2 ; : : : ; on ; : : :) of output events, such that there exists a sequence (q0 ; q1 ; : : : ; qn ; : : :) of states with q0 = q0M and (qn,1 ; in ; on ; qn ) 2 M for all n 1. The sequence ((i1 [ o1 ); (i2 [ o2 ); : : : ; (in [ on ); : : :) will then be called a trace of the machine. A deterministic machine has at most one possible reaction to a given input O the function event. For a reactive deterministic machine M we denote by M giving, for a state q and an input i, the output event o such that (q; i; o; q0 ) 2 M . Denition 2. Let M be an I/O machine, and O0 OM . The projected machine M # O0 is (QM ; q0M ; IM ; O0 ; 0), where 0 = f(q; i; o \ O0 ; q0) j (q; i; o; q0) 2 M g. Denition 3. Let M1 and M2 be two I/O machines with OM1 \ OM2 = ;. The synchronous product of M1 and M2, denoted by M1 k M2, is the I/O machine M where { QM = QM1 QM2 ; q0M = (q0M1 ; q0M2 ) { IM = (IM1 n OM2 ) [ (IM2 n OM1 ); OM = OM1 [ OM2 { ((q1 ; q2); i; o; (q10 ; q20 )) 2 M , (q1 ; (i [ o) \ IM1 ; o \ OM1 ; q10 ) 2 M1 and (q2 ; (i [ o) \ IM2 ; o \ OM2 ; q20 ) 2 M2 2.2 Verication of Safety Properties In the verication approach based on I/O machines a safety property is considered as a set of traces. A trace on a set of signals S is a nite or innite sequence of events on S . A property P on S is a safety property i 2 P , 0 2 P for any nite prex 0 of Central to the verication approach used here is the notion of observer. Denition 4. Let P be a safety property on S . Let be a (alarm) signal not in S . An observer of P is a machine (Q P ; q0 P ; S; fg; P ) which is both deterministic and reactive with the following property. Let q be the state that P reaches after reading the (possibly empty) trace . Then for any event e 2 2S :e 2 P O P (q ; e) = ;fg ifotherwise We further assume that all transitions with an fg output event lead to a distinguished state q in P . Note that such a machine returns a sequence of empty output events as long as it receives a sequence of input events belonging to the safety property P . Moreover, the q state is not reachable from the initial state as long as the input traces are in P . Thus, the observer machine can be used for verication purposes as follows: An I/O machine M satises a safety property P i the composed machine M k P never outputs any event containing . 2.3 Decompositional Verication The above technique can of course be applied for verifying a program which in turn consists of a number of parallel modules. For verifying that M1 k M2 satises the safety property P , one may construct the machine M = M1 k M2 and ensure that (M k P ) # emits only empty output events. Halbwachs et.al. [5], however, propose an additional method for decompositional verication which they suggest might be more ecient in some cases. The decompositional approach works as follows. Assume that we are interested in proving the safety property P in a system composed of modules M1 and M2 . They suggest a two-step verication procedure which requires the additional notion of restriction. For any X QM , let g preM (X ) = fq j 8i8o8q0 such that (q; i; o; q0 ) 2 M ; q0 2 X g be the set of states having all their successors in X . Denition 5. Let M be an I/O machine and P an observer for a safety property P . Let M 0 = M k P . Then sinkP is the set of states in M 0 leading inevitably to the violation of property P , and dened as follows: sinkP = X:g preM ((QM fqg) [ X ) where is the least xed point operator. Denition 6. Let M be an I/O machine and P an observer for a safety property P . Let M 0 = M k P and assume q0M 62 sinkP . Then the nonblocking restriction of M 0, denoted by M=1 P , is the I/O machine (QM n sinkP ); q0M ; IM ; OM ; 00 ) where 00 = f(q; i; o; q0 ) 2 M j q; q0 62 sinkP and 62 og Intuitively, the resulting machine has no traces with events in, neither has it any states from which all the outgoing transitions (now pruned) had events before the restriction. The two steps of decompositional verication can then described as follows. To prove that M1 k M2 satises the property P on S = IM1 [ OM1 [ IM2 [ OM2 , nd a property P 0 on IM2 [ OM2 such that 1. M2 satises P 0 2. M1 =1 P satises P . That is, nd a reasonable approximation to M2 which has the necessary properties so that when composed with M1 the required safety property is met by the combined system. An obvious application of this method is in the case of embedded systems. Then let M1 correspond to our embedded software, M2 correspond to its surrounding environment, and P 0 correspond to a relevant property of the environment. The proof then tells us that provided the environment of the software behaves as it should then the closed system has the required property. This decompositional technique will be worthwhile only if each of these two steps is `simpler' than the one shot approach of verifying the composed system. Our conjecture is that for a large class of embedded systems this is unlikely to be the case. The question is complicated by the fact that there is a potentially innite number of possible intermediate properties P 0 that could be chosen. A crucial question is then: how to chose a suitable P 0 . For example, assume we have a property P 0 which is thought to be suitable. If the second step above fails, then the cause of the failure may be in either of the two components (the module M1 or the abstraction of M2; P ). If the property P 0 has been derived ad hoc then either M1 or P 0 and ultimately M2 may have to be changed. This can lead to an iterative process, where at each step the source of the current failure is tracked down and a x attempted. One way of avoiding these iterations would be if we could synthesize the weakest property P 0 which satised step 2 above. If such a property can be generated then we know that if step 1 fails then it is our model of the system, M1 or M2 that is at fault. In section 4 we look at a synthesis technique, and some of the technical details associated with it. First we present our example, and show how these verication techniques can be applied. 0 0 0 0 0 0 0 3 Example: Aircraft Landing Gear In this section we use a model of a real world system to illustrate and assess observer-based verication. The system we have chosen to model is that taken from studies of the landing gear system of the Swedish JAS 39 Gripen multirole combat aircraft. This system has been modelled using a number of dierent formalisms, at various levels of complexity [10]. The earlier work included models where the relation between the physical properties of the hydraulic subsystem and the landing gear actuators could be studied. This enabled the study of the timeliness properties which are not covered here. The model of the plant used in this paper is an abstraction of the physical models sucient for the expression of a safety property. We consider the plant as being composed of two simple mechanical systems, a door and a gear, interacting with a software controller. The pilot can give a command for the gear to be extended or retracted. Extending the gear for example involves the door being opened, the gear being lowered, and then the door being closed again. The safety property which can be expresses in terms of synchronous observers is the property that the gear and door should never collide under operation. 3.1 Modelling In this section we present various components of the system and discuss the composed model. To begin with a hybrid model of the plant was developed using the hybrid formalism of Delta IO machines [12]. The formalism represents a simple extension of discrete synchronous systems which allows the modelling of continuous processes within the framework of a standard synchronous language, in this case Esterel. In this paper we present the discrete structure of that model which contains sucient information for verifying the safety property we are interested in. The models are presented as I/O machines. They were generated directly from the Esterel compiler, and drawn using the Autograph package. Transitions on the graphs are signal operator pairs concatenated by full stops. The '!' operator represents that a signal is being output, a '?' operator represents signal input, and a '#' is an operator representing the absence of a signal from the input of a reaction. The Plant For our purposes here, the 'plant' is considered to consist of every- thing beneath the software control system. This includes not just the physical system, but also the sensors, and the interface of the sensors with the controller. Figure 1 shows an I/O machine representing the discrete fraction of the door model. This is half of the total plant model, the other half being the gear itself, which has very similar functionality (but will not be depicted here). The gear is raised and lowered in the same way that the door is opened and closed. The plant model is given by the parallel composition of the door and the gear models. The machine in gure 1 has four states, the double ringed one representing the initial state. The two states shown here on the left and right of the diagram !d !d .. #cd #cd OPENING OPENING ?dq ?dq .. ?od ?od .. !dc !dc ?dq ?dq .. !dc !dc .. #od #od CLOSED CLOSED #dq #dq .. #od #od ?dq .. !dro !dro .. #cd #cd !d !d .. !dro !dro .. #cd #cd ?dq ?cd ?cd .. !d !d .. !dro !dro ?od ?od .. #dq #dq ?od ?od .. !d !d ?cd ?cd .. !d !d OPEN OPEN ?od ?od .. !d !d .. !dc !dc #cd #cd .. #dq #dq ?cd ?cd .. #dq #dq !d !d .. !dc !dc .. #od #od CLOSING CLOSING ?cd ?cd .. ?dq ?dq .. !dro !dro !d !d .. #od #od inputs od open door cd close door dq door query outputs dro dc d door open door closed door in motion Fig. 1. A model of the door as an I/O machine showing input and output signals represent the fact that the door is stationary, and open or closed respectively. The top and bottom states represent the movement of the door. The door can receive three inputs: od and cd are requests from the controller for the door to be opened and closed respectively, dq is a request from the controller for the door to report its state. As we can see from the transitions if the door is stationary (in states OPEN or CLOSED) and it receives a dq, it will report its current state with the outputs dro or dc, (door open and closed). If the door is in motion, the dq signal is ignored. On the transition from OPENING to the the OPEN state the door emits a dro without prompting, (and of course a dc for the corresponding CLOSING case). The signal d is a signal indicating the movement of the door. It is emitted spontaneously on an empty input whenever the position of the door is updated i.e. when the door moves. So the operation of the door is essentially a cycle. It starts closed. A od will start it opening, once open a cd will start it closing again. At any stage its movement can be reversed by the appropriate command. The Controller The controller is not depicted here because the state machine produced is too complicated to make easy sense of, consisting of 8 states and 48 transitions. The Esterel code for it is given instead in the Appendix. The controller communicates with the plant via the ten control and sensor signals. In addition it receives two signals from the pilot, cmd up and cmd down representing commands to extend and retract the gear. It is assumed that the controller should allow the pilot to disrupt the process of extension or retraction of the gear at any stage. It was also intended that the controller should not simply assume knowledge of the position of gear and door, but must check, every time a command is issued. The System A diagram of the composed system is shown in gure 2. This model has been automatically generated using the parallel composition of the plant and controller models. From the initial state at the top, a cmd down signal will start the door moving (opening) this can be seen on the graph as the transition !d . #cmd up. Once the door is open the gear starts moving (lowering) and nally the door moves again (closing) and comes to rest. This is the progression down the left hand side of the diagram. At any stage if we receive a cmd up signal, this will move control to the right hand side which brings the gear up. We can clearly see just from this diagram that our composed system (8 states, 28 transitions) is simpler in terms of reachable states and transitions than either the plant model (16 states, 256 transitions) or the controller (8 states, 48 transitions) from which it is composed. 3.2 Compositional Verication The property that we are interested in verifying is that the landing gear and the door will not collide. This property we prove by proving the stronger property that the door should always be open and stationary when the landing gear is in motion. This second property can be seen as two properties, that the door and gear are never moving at the same time, and that the door is always open when the gear is in motion. Notice that both properties, are properties of the composed system, and cannot hold over just the plant or controller. These two properties can be checked by a pair of observer machines combined in parallel4. Figure 3 shows these machines. The rst simply emits an alarm and halts whenever an event occurs containing the signals g and d at the same time, indicating that the door and gear have moved at the same time. The second machine watches the signals dro and dc which are sensor states from the plant emitted when the door is open and closed respectively. This second machine emits an alarm if g ever occurs when the sensors have indicated that the door is not open. In order to check that the system satises the safety property, the complete observer is combined in parallel with the system, and the resulting state machine checked for the emission of signals. Of course the proof is successful, and our composed system behaves as we require. 4 These two machines share a common output which technically means that they can't be combined using the product operator that was dened. This can be practically solved by calling the respective observers' outputs 1 and 2 and renaming both outputs to in the composed machine. #cmd_down #cmd_down DOOR DOOR CLOSED CLOSED GEAR GEAR RAISED RAISED ?cmd_down ?cmd_down !d !d .. #cmd_up #cmd_up !d !d .. #cmd_down #cmd_down !d !d .. #cmd_down #cmd_down ?cmd_down ?cmd_down .. !d !d ?cmd_up ?cmd_up .. !d !d !g !g .. #cmd_up #cmd_up !d !d .. #cmd_up #cmd_up !g !g .. #cmd_down #cmd_down ?cmd_down ?cmd_down .. !g !g !g !g .. #cmd_down #cmd_down ?cmd_up ?cmd_up .. !g !g !d !d .. #cmd_down #cmd_down !g !g .. #cmd_up #cmd_up !d !d .. #cmd_up #cmd_up ?cmd_down ?cmd_down .. !d !d !d !d .. #cmd_down #cmd_down ?cmd_up ?cmd_up .. !d !d !d !d .. #cmd_up #cmd_up ?cmd_up ?cmd_up DOOR DOOR CLOSED CLOSED GEAR GEAR LOWERED LOWERED #cmd_up #cmd_up inputs cmd up pilot command | raise gear cmd down pilot command | lower gear outputs d g door in motion gear in motion Fig. 2. A model of the complete system. Communications between plant and controller could be shown here as outputs, but for clarity have been omitted. #dc #dc #dro #dro .. #g #g #g #g ?g ?g .. #d #d ?d ?d .. ?g ?g .. !! αα α α inputs d g dro dc ?dro ?dro ?dc ?dc ?g ?g .. !! αα .. #dro #dro α α door in motion gear in motion door open door closed outputs alarm Fig. 3. An observer of the safety property that the door and gear do not collide. The actual observer is the parallel composition of these two machines. The complete observer has 4 states, 13 transitions and when combined with the system, the resulting machine has only 9 states and 35 transitions. This appeared to be a very small proof and the decompositional techniques would be hard pressed to improve on it. 3.3 Ad Hoc Decompositional Verication In this subsection we consider verifying the property using an ad hoc approach to nding our intermediate property P 0 . The problem of synthesising this property automatically is complex, and we consider it in section 4. Here we consider nding a suitable property by using our intuitive understanding of the operation of the system. There are two ways in which we can go about searching for P 0 . Either we can look for a property P 0 that is a property of the plant, or we can look for a property P 0 that is a property of the controller. In fact we tried both here. The property is, of course, expressed as an observer. Finding suitable observers was a far from trivial task. We started by building observers that expressed what we thought might be sucient conditions, and kept adding restrictions until we could make both steps of the proof hold. The resulting observers expressed much stronger properties than were necessary in the end. In the search for P 0 we were helped by the fact that we already knew that our composed system satised P . The task would have been much harder if we were trying to actually verify P for the rst time, in which case proof failures could have been caused by errors in the system models as well as deciencies in P 0 . Both our observers were larger than the observer of the system property. The controller observer had 4 states and 61 transitions, its two verication steps involved machines of size 19 states, 151 transitions and 13 states 212 transitions. The plant observer had 26 states and 2676 transitions and had verication steps with machines of sizes 27 states, 402 transitions and 61 states, 5108 transitions. Clearly both of these decompositions produced two much larger proofs than the verication of the composed system. 3.4 Does Decomposition Pay O? The example considered here is small, but large enough to be illustrative. From the work presented here we can conclude, that for similar cases: { The composition of plant and controller can be smaller than either component. { It is dicult to nd an intermediate property suitable for decompositional proof by hand. { Even when an intermediate property is found the two steps of the decompositional proof can involve larger constructions than the single proof of the composed system. We tentatively conclude that this was not a suitable situation to apply decompositional verication. Part of the problem that we experienced in applying the technique of decomposition to this example was due to the diculty of nding a suitable intermediate property P 0 . The properties that we came up with in both cases were stronger than required. Ideally we would use the weakest possible P 0 . This would have the advantage that the two steps of the decompositional proof would provide necessary and sucient conditions for our overall property to be satised by the composed system. 4 Weakest Observers 4.1 Synthesis Method Halbwachs et.al. propose a method for synthesis of the weakest property P 0 , and present a proof for the the following statement: if the property P 0 is arrived at in the proposed manner then it suces to perform step 1 of the decompositional technique for proving the property P . To put this statement more precisely we restate a few auxiliary denitions. Let traces(Q) be the set of all nite traces = e1; : : : ; en such that (qn,1 ; in ; on ; qn ) 2 M , in [ on = en , and qn 2 Q. For a trace = (e1 ; : : : ; en ; : : :) we dene the projection of on a set of signals S 0 as the trace # S 0 = (e1 \ S 0 ; : : : ; en \ S 0 ; : : :). The projection of a set of traces T on a set S 0 is dened as T # S 0 = f # S 0 j 2 T g. Finally, if T is a set of nite traces on S , then C (T ) is dened to be the set of traces on S which do not have any prex in T . To prove that M1 k M2 satises P (denoted j= P ), Halbwachs et.al. suggest the following method. Proposition 7. [5] Let P be an observer for P emitting on violation of P . Let Terr = traces(QM1 fqg) and let P 0 = C (Terr # S2 ). Then M2 j= P 0 , M1 k M2 j= P This proposition provides a method for doing decompositional verication that avoids the need for iterating, because the bottom line of claim 7 is an `if and only if'. In other words if we generate the property in this way, then if P 0 is satised by M2 the proof is successful, if it fails to be satised by M2 then we know that one of the machines M1 or M2 is awed. Although this proof is expressed in terms of traces, it can clearly be implemented in terms of observers. The property C (Terr # S2 ) can be expressed as an observer constructed from the synchronous product of M1 and P , by changing signals from outputs to inputs (except ) and restricting the signals to those in S2 . This observer can then be used to check the properties of M2 in the usual way. 4.2 Discussion In comparing the dierent proof approaches we are interested in the size, that is number of states and transitions, of the I/O machines involved in the verication process. A decompositional approach might be considered worthwhile if it involves signicantly smaller machines. We have already observed that the composition of a plant and controller can result in a small machine. To see why we must consider the denition of synchronous product. For two machines A and B the size of their product C = A k B is related to the way in which the input to the composed machine is dened. Here its inputs are dened as IC = (IA n OB ) [ (IB n OA ). Constraining the input alphabet in this way means that some potential transitions in C cannot exist because all their inputs have been removed from IC . This situation will occur when the inputs of one machine are the outputs of another. Clearly this is the case in the situation of a plant and controller. In the extreme IA = OB and IB = OA in which case only spontaneous transitions i.e. those with empty input will survive. In the case of our synthesized observer P , it is clear that it will be the same size as M1 k P . Consequently the verication step on this machine which involves checking to see if P k M2 emits , will involve comparable sized machines to the compositional verication step which checks M1 k M2 k P for emissions. Not only is the last step comparable, the intermediate step it takes can also involve the unnecessary introduction of a large machine. Such an P synthesized as a property of the plant in our landing gear example has 29 states and 547 transitions. The observer P , as we have described it, is not of course the minimal weakest observer. We need to preserve any transitions in any path leading to an -state. However any other transitions could be removed. This minimised version of P could possibly provide smaller verications. In practice, we found 0 0 0 0 0 that there were no opportunities for such minimisations when the techniques were applied to our example, since every transition was in a path leading to an -state. 5 Summary In this paper we have considered the use of synchronous observers for verication of embedded systems. We have considered a case where we have a property P that can not be ascribed to the plant or the controller alone { rather, it is a property of the composed system. To begin with, we note that starting to model the composed system is not to recommend for two reasons. First, to ensure correspondence with physical models, separate plant modelling is necessary. Second, checking the property of the composed system model does not give any hints as to what the controller should look like. Separate controller modelling leads to easier realisation of the control program code. Next, we have considered alternative verication strategies. In this case it seems clear that a decompositional verication of the plant and controller can lead to harder proofs than a direct verication of the composed system, due largely to the tight interaction between the plant and the controller. It may be the case that alternative decompositions of the system into components which share fewer signals would be more fruitful. However such decompositions may not be a natural feature of the constructed hybrid models. Finally a note on complexity of models. A signicant problem being constantly attacked by the verication community is the state explosion problem. While eorts in this direction are essential for applications in the real world, we hope to have demonstrated in this paper that clever modelling can complement these eorts by keeping the size of the system under analysis to a minimum. Appendix %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % Landing Gear Controller % % Author: Martin Westhead % % This is an implementation of a controller for a simple % landing gear model. % % Inputs: cmd_up - retract gear, cmd_down extend gear, % dro - door open, dc - door closed,gl - gear lowered, % gr - gear raised. % Outputs: od - open door, cd - close door, rg - raise gear, % lg - lower gear, gq qery gear state, dq - query door state module CONTRL : input cmd_up, cmd_down, dro,dc,gl,gr; output od,cd,rg,lg,gq,dq; await cmd_down; % nothing happens until pilot lowers gear loop do emit gq; % query state of gear present gl else % gear is already lowered? run open_door; emit lg; % send lower gear signal await gl; % wait for gear to be lowered end; run close_door; up to cmd_up; do emit gq; present gr else run open_door; emit rg; await gr; end; run close_door; upto cmd_down; end % gear is already raised? % send raise gear signal % wait for confirmation References 1. M. Abadi and L. Lamport. Composing Specications. In J.W. de Bakker, W.P. de Roever, and G.Rozenberg, editors, proceedings of the REX workshop on stepwise renement of distributed systems, LNCS 430, pages 1{41. Springer Verlag, 1989. 2. A. Brjesson, K.G. Larsson, and A. Skou. Generality in Design and Compositional Verication Using TAV. Formal Methods in System Design, 6:239{258, 1995. 3. H. De-Leon and O. Grumberg. Modular Abstractions for Verifying Real-time Distributed Systems. Formal Methods in System Design, 2:7{43, 1993. 4. R.L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, editors. Proc. Workshop on Theory of Hybrid Systems, October 1992, LNCS 736, Lyngby, Denmark, 1993. Springer Verlag. 5. N. Halbwachs, F. Lagnier, and P. Raymond. Synchronous observers and the verication of reactive systems. In M. Nivat, C. Rattray, T. Rus, and G. Scollo, editors, Third Int. Conf. on Algebraic Methodology and Software Technology, AMAST'93, Twente, June 1993. Workshops in Computing, Springer Verlag. 6. L.J. Jagadeesan, C. Puchol, and J.E. Von Olnhausen. A Formal Approach to Reactive Systems Software: A Telecommunications Application in Esterel. Formal Methods in System Design, 8:123{151, 1996. 7. R. Kaivola. Compositional Model Checking for Linear-Time Temporal Logic. In Proc. 4th int. workshop on Computer Aided Verication, pages 248{259. Springer Verlag, 1992. 8. R. Milner. Communications and Concurrency. Prentice-Hall, 1989. 9. S. Nadjm-Tehrani and J-E. Stromberg. From physical modelling to compositional models of hybrid systems. In Proc. of the 3rd International Conference on Formal Techniques in Real-time and Fault-tolerant Systems, pages 583{604. LLNCS 863, Springer Verlag, 1995. 10. S. Nadjm-Tehrani and J-E. Stromberg. Proving dynamic properties in an aerospace application. In 16th International Symposium on Real-time Systems, pages 2{10. IEEE Computer Society Press, December 1995. 11. P.J.G. Ramadge and W.M. Wonham. The Control of Discrete Event Systems. Proceedings of the IEEE, 77:81{97, 1989. 12. Martin D. Westhead and John Hallam. Modelling hybrid systems as the limit of discrete computational processes. In International Conference on Robotics and Automation. IEEE, 1996. This article was processed using the LaTEX macro package with LLNCS style